# The Factory’s Secret

## Problem

There appear to be some mysterious glyphs hidden inside this abandoned factory… I wonder what would happen if you collected them all?

## Solution

This writeup is by my teammate Andrew Chang

# 2Warm

## Problem

Can you convert the number 42 (base 10) to binary (base 2)?

## Solution

``````\$ python
>>> bin(42)
'0b101010'
``````

flag: `picoCTF{101010}`

# Lets Warm Up

## Problem

If I told you a word started with 0x70 in hexadecimal, what would it start with in ASCII?

## Solution

``````\$ python
>>> chr(0x70)
'p'
``````

flag: `picoCTF{p}`

# Warmed Up

## Problem

What is 0x3D (base 16) in decimal (base 10).

## Solution

``````\$ python
>>> 0x3d
61
``````

flag: `picoCTF{61}`

# Bases

## Problem

What does this `bDNhcm5fdGgzX3IwcDM1`mean? I think it has something to do with bases.

## Solution

The flag is encoded with base64.

``````\$ echo "bDNhcm5fdGgzX3IwcDM1" | base64 -d -
l3arn_th3_r0p35
``````

flag: `picoCTF{l3arn_th3_r0p35}`

# First Grep

## Problem

Can you find the flag in file? This would be really tedious to look through manually, something tells me there is a better way. You can also find the file in /problems/first-grep_3_2e09f586a51352180a37e25913f5e5d9 on the shell server.

file

## Solution

As suggested by the challenge name, we can use the bash command grep to search for the flag:

``````\$ grep pico file
picoCTF{grep_is_good_to_find_things_eda8911c}
``````

flag: `picoCTF{grep_is_good_to_find_things_eda8911c}`

# Resources

## Problem

We put together a bunch of resources to help you out on our website! If you go over there, you might even find a flag! https://picoctf.com/resources (link)

## Solution

The flag is on the resources page.

flag: `picoCTF{r3source_pag3_f1ag}`

# strings it

## Problem

Can you find the flag in file without running it? You can also find the file in /problems/strings-it_5_1fd17da9526a76a4fffce289dee10fbb on the shell server.

file

## Solution

We can find the flag with a combination of strings and grep:

``````\$ strings strings | grep pico
picoCTF{5tRIng5_1T_dd38f284}
``````

flag: `picoCTF{5tRIng5_1T_dd38f284}`

# what’s a net cat?

## Problem

Using netcat (nc) is going to be pretty important. Can you connect to `2019shell1.picoctf.com` at port `4158` to get the flag?

## Solution

Use the netcat or nc command:

``````\$ nc 2019shell1.picoctf.com 4158
You're on your way to becoming the net cat master
picoCTF{nEtCat_Mast3ry_700da9c7}
``````

flag: `picoCTF{nEtCat_Mast3ry_700da9c7}`

# Based

## Problem

To get truly 1337, you must understand different data encodings, such as hexadecimal or binary. Can you get the flag from this program to prove you are on the way to becoming 1337? Connect with `nc 2019shell1.picoctf.com 20836`.

## Solution

For this challenge, you have to decode base2, base8, and base16 data. I wrote a short script to automate the process:

``````from pwn import *

sh = remote('2019shell1.picoctf.com', 20836)

binary_data = sh.recvuntil('Input:\n').split('\n')[2].split(' ')[3:-3]
binary_data = ''.join(map(lambda x: chr(int(x, 2)), binary_data))
sh.sendline(binary_data)

oct_data = sh.recvuntil('Input:\n').split('\n')[0].split('the  ')[-1].split(' as')[0].split(' ')
oct_data = ''.join(map(lambda x: chr(int(x, 8)), oct_data))
sh.sendline(oct_data)

hex_data = sh.recvuntil('Input:\n').split('\n')[0].split('the ')[-1].split(' as')[0]
hex_data = hex_data.decode('hex')
sh.sendline(hex_data)

sh.interactive()
``````

flag: `picoCTF{learning_about_converting_values_6cdcad0d}`

# First Grep: Part II

## Problem

Can you find the flag in /problems/first-grep–part-ii_4_ca16fbcd16c92f0cb1e376a6c188d58f/files on the shell server? Remember to use grep.

## Solution

We can use the `-r` option in `grep` to search recursively for the flag:

``````alanc@pico-2019-shell1:/problems/first-grep--part-ii_4_ca16fbcd16c92f0cb1e376a6c188d58f/files\$ grep -r pico .
./files6/file5:picoCTF{grep_r_to_find_this_0e28f3ee}
``````

flag: `picoCTF{grep_r_to_find_this_0e28f3ee}`

# plumbing

## Problem

Sometimes you need to handle process data outside of a file. Can you find a way to keep the output from this program and search for the flag? Connect to `2019shell1.picoctf.com 57911`.

## Solution

We can use the pipe operator to `grep` for the flag:

``````\$ nc 2019shell1.picoctf.com 57911 | grep pico
picoCTF{digital_plumb3r_931b2271}
``````

flag: `picoCTF{digital_plumb3r_931b2271}`

# whats-the-difference

## Problem

Can you spot the difference? kitters cattos. They are also available at /problems/whats-the-difference_0_00862749a2aeb45993f36cc9cf98a47a on the shell server

kitters

cattos

## Solution

The flag is all the bytes that differ between the two files. It can be extracted with a python script:

``````with open('./kitters.jpg', 'rb') as f:

with open('./cattos.jpg', 'rb') as f:

flag = ''
for i in range(min(len(kitters), len(cattos))):
if kitters[i] != cattos[i]:
flag += cattos[i]
print flag
``````

flag: `picoCTF{th3yr3_a5_d1ff3r3nt_4s_bu773r_4nd_j311y_aslkjfdsalkfslkflkjdsfdszmz10548}`

# where-is-the-file

## Problem

I’ve used a super secret mind trick to hide this file. Maybe something lies in /problems/where-is-the-file_4_f26b413d005c16c61f127740ab242b35.

## Solution

On unix systems, files that start with a `.` are hidden by default. We can see these files by using the `-a` option in `ls`:

``````alanc@pico-2019-shell1:/problems/where-is-the-file_4_f26b413d005c16c61f127740ab242b35\$ ls -a
.  ..  .cant_see_me
alanc@pico-2019-shell1:/problems/where-is-the-file_4_f26b413d005c16c61f127740ab242b35\$ cat .cant_see_me
picoCTF{w3ll_that_d1dnt_w0RK_cb4a5081}
``````

flag: `picoCTF{w3ll_that_d1dnt_w0RK_cb4a5081}`

# flag_shop

## Problem

There’s a flag shop selling stuff, can you buy a flag? Source. Connect with `nc 2019shell1.picoctf.com 3967`.

source

## Solution

By reading the source code, we see that the `total_cost` is stored as a 4 byte signed integer:

``````if(number_flags > 0){
int total_cost = 0;
total_cost = 900*number_flags;
printf("\nThe final cost is: %d\n", total_cost);
if(total_cost <= account_balance){
account_balance = account_balance - total_cost;
printf("\nYour current balance after transaction: %d\n\n", account_balance);
}
else{
printf("Not enough funds to complete purchase\n");
}
}
``````

If we enter a large number for `number_flags`, `900*number_flags` would overflow and turn into a large negative number:

``````\$ python
>>> ((1<<31)//900)*1.5
3579138.0
``````
``````\$ nc 2019shell1.picoctf.com 3967
Welcome to the flag exchange
We sell flags

1. Check Account Balance

3. Exit

2
Currently for sale
1. Defintely not the flag Flag
2. 1337 Flag
1
These knockoff Flags cost 900 each, enter desired quantity
3579138

The final cost is: -1073743096

Your current balance after transaction: 1073744196

Welcome to the flag exchange
We sell flags

1. Check Account Balance

3. Exit

2
Currently for sale
1. Defintely not the flag Flag
2. 1337 Flag
2
1337 flags cost 100000 dollars, and we only have 1 in stock
``````

flag: `picoCTF{m0n3y_bag5_cd0ead78}`

# mus1c

## Problem

I wrote you a song. Put it in the picoCTF{} flag format

file

## Solution

The given file is a program written in the esoteric language rockstar. We can run the program using this website:

``````Output:
114
114
114
111
99
107
110
114
110
48
49
49
51
114
``````

A quick conversion from decimal to ascii gives us the flag:

``````\$ python
>>> '''114
... 114
... 114
... 111
... 99
... 107
... 110
... 114
... 110
... 48
... 49
... 49
... 51
... 114'''.strip().split('\n')
['114', '114', '114', '111', '99', '107', '110', '114', '110', '48', '49', '49', '51', '114']
>>> ''.join(map(chr,map(int,_)))
'rrrocknrn0113r'
``````

flag: `picoCTF{rrrocknrn0113r}`

# 1_wanna_b3_a_r0ck5tar

## Problem

I wrote you another song. Put the flag in the picoCTF{} flag format

file

## Solution

This time the program requires some input. We can simply remove these input checks to get to the flag.

Remove these lines:

``````Listen to the music
If the music is a guitar
Say "Keep on rocking!"
Listen to the rhythm
If the rhythm without Music is nothing
...
Else Whisper "That ain't it, Chief"
``````

Output:

``````66
79
78
74
79
86
73
``````

Converting it to ASCII:

``````\$ python
>>> ''.join(map(chr,[66,79,78,74,79,86,73]))
'BONJOVI'
``````

flag: `picoCTF{BONJOVI}`

tweet Share